We’ve seen commentary on the recent industry guidance from the U.S. Department of Homeland Security and want to take this opportunity to share our perspective. The mitigating measures recommended by the DHS Industry Alert are in alignment with the best drone practices we have developed over the past 12 years, driven by our global team of engineers and developed in partnership with our end users, from local public safety heroes to pioneering enterprises and even the U.S. federal government.
Similar to the DHS, we encourage all government and critical infrastructure users to adopt security protocols that better protect their drone data. Contrary to what some parties may choose to believe, our customers’ data is none of our business.
We are in the business of providing a reliable drone platform. We are not interested in capturing and charging users for their data or selling customer data for advertising. Our purpose is simple: to innovate powerful drone platform solutions that empower our end users so that they can accomplish their ambitions more efficiently and safely.
Our guiding principle is to give our customers complete control over how their data is collected, managed, and transferred. We are proud to say that our products not only meet but exceed the mitigating measures set out by the DHS.
We take our responsibility as the global leader in drone technology seriously. We are committed to remaining the industry leader, particularly on data stewardship, by providing the best, safest, and most secure drone technology for our customers. As they are in control of their data, the security of their data is firmly in their hands too.
Below, we have provided additional details on how DJI implements the best practices set forth by the DHS and an additional security measure to provide our customers even greater assurance. We encourage the entire industry to adopt these mitigating measures and remain open to any further recommendations that will help us continue to empower our end users to safeguard their data better.
Drone Industry Data Security Recommendations
Recommendation #1:
Deactivate Internet Connection from Devices Used to Operate the UAS
Our drones do not directly connect to the internet, but instead, use your mobile device or a hotspot-enabled controller with a built-in screen. These devices then connect to the internet for updating apps and firmware, as well as handling other essential functions like updates to our geofencing safety system. We built Local Data mode into our DJI Pilot flight control app, which allows users additional security assurances by stopping any connectivity between DJI’s mobile app and the internet. For customers using our DJI GO family of apps, the same level of security can be obtained by activating Airplane mode on your mobile device when flying.
Recommendation #2:
Take Precautionary Steps Before Installing Updated Software or Firmware
All firmware updates for our drones and their accessories go through our company’s rigorous software quality assurance process, and our flight control mobile apps are additionally reviewed by Google Play and the App stores to ensure they are secure prior to release. For organizations with large-scale drone deployments, the DJI FlightHub Enterprise fleet management software provides your organization’s IT team with full control over the installation of all software and firmware updates to your drone fleet. This means that no mobile app or firmware updates are pushed out unless approved by your IT administrator.
Recommendation #3:
Remove the Secure Digital Card from the Main Flight Controller/Drone
In most cases, our drones and remote controllers feature slots for removable secure digital (SD) memory cards, whose containing data is only accessible to the user. DJI drones do not directly connect to the internet, and no DJI drone or controller is built with a cellular modem installed. Without this data connection, the photos and videos you capture are inherently secure and stay on the SD card. Users should always remove them when the drone is not in use so that if a drone or RC become lost, there is no risk of data leakage.
Recommendation #4:
If an SD Card is Required to Fly the Drone, Remove All Data from the Card After Every Flight
None of DJI’s drone products require an SD card to be installed to operate the drone. Regardless, it is considered good practice to remove the card after each flight, retrieve its data, and erase the SD card before the next flight.
DJI’s Mavic 2 series drones do feature non-removable in-built memory for storing image data. In this situation, download all footage captured from the internal storage drive, then delete the data stored and format the drive after each flight.
Recommendation #5:
Encrypt and Password Protect Your Data
To provide additional data security assurance, we suggest a fifth addition regarding data encryption and password protection. DJI’s newest enterprise drones connect to their controller using our OcuSync 2.0 protocol and are encrypted using the leading AES-256 standard, ensuring critical information exchanged between the drone and its remote is protected.
Our Mavic 2 Enterprise and Mavic 2 Enterprise Dual drones feature password protection. To enhance the security of the drone and this data, users are required to enter a password each time they activate the drone, link a remote controller with the drone, or access the drone’s onboard storage. This provides secure access to the drone and its onboard data while protecting that data, even if the drone is lost or physically compromised.
If you have any questions or would like to request a technical briefing, please send us an email at datasecurity@dji.com.
